Splunk Search

Where to Start - Field Extraction

SplunkUser5888
Path Finder

Hi guys,
I've got a script uploading html files into Splunk. This uses IOC to check which hosts are infected and by what malware. What the malware changes and so on. I have one particular file which has the name of the Malware, the hash, a description and even the files changed. Added with the IP address of the host, it has everything.

My question is though, how do I tell splunk where to find the name of the malware and where the hash is. Bearing in mind that the name location will stay the same but the name will differ depending on the malware found.
I need this so as to have counters and timecharts of which host is infected by what.

Sample File:

xmlns:ioc="http://schemas.mandiant.com/2010/ioc" id="openioc">
<div id="openioc-head">
<div id="openioc-logo"></div>
<div id="openioc-title">
<h1>
  ZeroAccess/Siref.P</h1>
<h4>0d0a744b-f7bf-453d-9105-5662bc27086e</h4>
</div>
</div>
<div id="openioc-main">

Show all 115 lines

host=192.168.89.137  

I need to tell Splunk that in indexes with xmlns:ioc have the malware title in h1 and the hash in h4

Thanks for your help

Tags (2)
0 Karma
1 Solution

antlefebvre
Communicator

Try

(?i)<h1>(?P<dd>[^<]+)

and

(?i)<h4>(?P<dd>[^<]+)

Where "dd" is going to be what you want to call the field extraction. Use FIELDNAME if you are using the interactive field extractor. Then name it when you save.

View solution in original post

0 Karma

antlefebvre
Communicator

Try

(?i)<h1>(?P<dd>[^<]+)

and

(?i)<h4>(?P<dd>[^<]+)

Where "dd" is going to be what you want to call the field extraction. Use FIELDNAME if you are using the interactive field extractor. Then name it when you save.

0 Karma

antlefebvre
Communicator

regex is painful for me as well. Try the interactive field extractor or the | erex command. Much easier.

0 Karma

SplunkUser5888
Path Finder

Thanks that was perfect, I'm still trying to get around regex 😛

0 Karma

SplunkUser5888
Path Finder

Thanks for the help, I'm away for the week so I'll try it when I get back.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...